The present invention relates generally to intrusion detection systems for computer systems, and more particularly, relates to intrusion detection systems having dynamic response capabilities for suppressing and automatically taking countermeasures against suspected and actual intruders and misusers.
development of the computer and its astonishingly rapid improvement have ushered in the Information Age that affects almost all aspects of commerce and society. Just like the physical infrastructures that support the American economy, there is a highly developed computer infrastructure that supports the American and worldwide economy.
Besides traditional physical threats to United States security, the security of the United States is also dependent on protecting the computer infrastructure that supports American government and industry. The computer infrastructure is open to attack by hackers and others, who could potentially wreak havoc.
The President of the United States has recognized the existence of these infrastructures and has created the President""s Commission on Critical Infrastructure Protection. This Commission was constituted to determine which industries are critical and whether these industries were vulnerable to cyber attack. The Commission issued a report and deemed transportation, oil and gas production and storage, water supply, emergency services, government services, banking and finance, electrical power and telecommunications to be critical infrastructures which rely on the computer infrastructure.
A personal computer and a modem access to the Internet are all the tools that a computer hacker needs to conduct a cyber attack on a computer system. The rapid growth of a computer-literate population ensures that millions of people possess the skills necessary to consider a cyber attack. The computer literate population includes recreational hackers who attempt to gain unauthorized electronic access to information and communication systems. These computer hackers are often motivated only by personal fascination with hacking as an interesting game. Criminals, and perhaps organized crime, might also attempt personal financial gain through manipulation of financial or credit accounts or stealing services. Industrial espionage can also be the reason for a cyber attack on a competitor""s computer system. Terrorists may attempt to use the computer infrastructure. Other countries may use the computer infrastructure for national intelligence purpose. Finally, there is the prospect of information warfare, which is a broad, orchestrated attempt to disrupt a United States military operation or significant economic activity.
A typical secure computer network has an interface for receiving and transmitting data between the secure network and computers outside the secure network. A plurality of network devices are typically behind the firewall. The interface may be a modem or an Internet Protocol (IP) router. Data received by the modem is sent to a firewall which is a network security device that only allows data packets from a trusted computer to be routed to specific addresses within the secure computer network. Although the typical firewall is adequate to prevent outsiders from accessing a secure network, hackers and others can often breach a firewall. This can occur by cyber attack where the firewall becomes overwhelmed with requests and errors are made permitting access to an unauthorized user. As can be appreciated, new ways of overcoming the security devices are developed everyday. An entry by an unauthorized computer into the secured network, past the firewall, from outside the secure network is called an intrusion. This is one type of unauthorized operation on the secure computer network.
Another type of unauthorized operation is called a misuse. A misuse is an unauthorized access by a computer within the secure network. In a misuse situation, there is no breach of the firewall. Instead, a misuse occurs from inside the secure computer network. A misuse can be detected when an authorized user performs an unauthorized, or perhaps, infrequent operation which may raise the suspicion that the authorized user""s computer is being misused. For example, an unauthorized user could obtain the password of an authorized user and logon to the secured network from the authorized computer user""s computer and perform operations not typically performed by the authorized user. Another example might be where a terrorist puts a gun to the head of an authorized user and directs the authorized user to perform unauthorized or unusual operations.
There are systems available for determining a breach of computer security which can broadly be termed intrusion detection systems. Existing intrusion detection systems can detect intrusions and misuses. The existing security systems determine when computer misuse or intrusion occurs. Computer misuse detection is the process of detecting and reporting uses of processing systems and networks that would be deemed inappropriate or unauthorized if known to responsible parties. An intrusion is an entry to a processing system or network by an unauthorized outsider.
These existing computer security systems have audit capabilities which are passive. These systems collect audit information from network devices and format those audits for review. Most of the existing computer security systems known to the inventors do not take steps to stop the misuse or intrusion after it is detected. Those that do take active steps are limited to logging a user off the network, stopping communications with that computer halting operations or other forms of notification such as a message to the security officer. Manual countermeasures are necessary. Once a hacker or intruder enters a critical system computer, even if detected, the hacker may do considerable harm before an operator of the system can react and initiate an appropriate, manual countermeasure, to stop the misuse or intrusion or to positively identify the hacker. Thus, a need exists for a system which can automatically take defensive steps to stop a misuse or intrusion after it is detected. A further need exists for a system which can take offensive steps, either automatically or with human intervention, to learn more information about an intruder and perhaps disable the intruder.
It is, therefore, an object of the present invention to substantially overcome the above-identified problems and substantially fulfill the above-identified needs.
A further object is to automatically take countermeasures against an intruder or misuser.
Another object is to automatically take offensive steps against an intruder by sending an agent to the intruder""s computer system.
An additional object is to automatically take defensive steps to halt further intrusion or misuse.
These and other objects of the present invention are achieved by a method and apparatus for receiving information that an intrusion or misuse has occurred and taking countermeasures on a computer network. The computer network includes a plurality of network devices such as computers, hosts, servers and terminals, all coupled to a network communications media for monitoring the network for intrusion and misuse. Although a security device such as a firewall is typically in place to prevent intruders from accessing the computer network, hackers can often gain entry to the computer network. Also, although internal users have passwords and the like, misuse of the computer network occurs from computers within the network because misusers obtain the necessary passwords, etc. A security computer is coupled to the network communications media and includes software for deploying software agents on each of the network devices, and monitoring and controlling the deployed agents. Each agent is a computer software module which is capable of being transported from one computer to another under instruction from the security computer. The security computer receives information from agents who perform the functions of monitoring the computers on the network for misuse and intrusion and send information to the security computer indicative of suspected or actual intrusions or misuses. The security computer can then take defensive and/or offensive measures to suppress or counterattack the intruder or misuser by automatically sending defensive or offensive agents to the computer on which a suspected or actual intrusion or misuse occurred. The security computer includes a monitor for monitoring by a human system administrator.
These and other objects of the present invention are achieved by a method for a computer network including receiving information, at a security computer, that an unauthorized operation has occurred at a computer on the network. Based on this information, countermeasures are initiated automatically, from the security computer, against the unauthorized operation where the determined unauthorized operation occurred.
These and other objects of the present invention are achieved by a method for a computer network including receiving information, at a security computer, that an unauthorized operation has occurred at a computer on the network. Based on this information, countermeasures are taken from the security computer against the intrusion. The countermeasures include dispatching a transferable self-contained set of executable instructions to the identified audited computer and executing the set of executable instructions on the identified audited computer to implement the countermeasure.
These and other objects of the present invention are achieved by a computer network comprising a security computer including one or more software modules for deploying, controlling and monitoring agents on one or more nodes of the computer network. Each of the one or more computers on the computer network includes a security operative which includes at least one offensive mission for taking countermeasures against an unauthorized operation and a misdirection mission for misdirecting further unauthorized operations.
These and other objects of the present invention are achieved by a computer system including a processor. A network interface couples computers on a computer network. A memory stores executable code for taking a countermeasure and is coupled to the processor. The memory has stored therein sequences of instructions, which, when executed by the processor, cause the processor to perform the step of receiving information that an unauthorized operation has occurred on a computer on the computer network. The processor then takes countermeasures against the unauthorized operation at the audited computer including dispatching a transferable self-contained set of executable instructions to the determined computer. The computer system then causes the set of executable instructions to be executed on the determined computer to implement the countermeasure.
These and other objects of the present invention are achieved by a security computer architecture including receiving means for receiving information that an unauthorized operation occurred on the computer network. The computer architecture includes determining means for determining that an unauthorized operation has occurred at an audited computer based on the received auditing information. The computer architecture includes countermeasure means for automatically initiating countermeasures against an unauthorized operation at the audited computer.
These and other objects of the present invention are achieved by a computer readable medium having agents stored thereon. The computer readable medium has stored thereon at least one data collection agent for monitoring for an unauthorized operation on a computer within a computer network and reporting back to a security computer. The computer readable medium has stored thereon at least one misdirection agent for misdirecting requests by an actual or suspected intruder or misuser to a location in the monitored computer where the actual or suspected intruder obtains false information. The computer readable medium has stored thereon at least one offensive agent for taking countermeasures against an actual or suspected intruder to prevent or suppress further intrusion by the actual or suspected intruder.
Still other objects and advantage of the present invention will become readily apparent to those skilled in the art from following detailed description, wherein the preferred embodiments of the invention are shown and described, simply by way of illustration of the best mode contemplated of carrying out the invention. As will be realized, the invention is capable of other and different embodiments, and its several details are capable of modifications in various obvious respects, all without departing from the invention. Accordingly, the drawings are to be regarded as illustrative in nature, and not as restrictive.